Re: [knot-dns-users] logging inbound NOTIFY?

[Peter Hudec]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

any way, the knot do not support catalog zones at this moment and
at least in my /still not using knot/ the hacks are only way to
implement such a provisioning.

For ccTLD I do not see any need for this feature , since the number of
zones do not change often. I did it by ansible few years ago.

On the registrar side it would e nice feature, but most of them have
own provisioning system in place.

from my point of view the catalogo zones is just nice to have feature,
not killing one.

regards
Peter

P.S. I was on both side /ccTLD and registrar/ so I know needs for both
side ;)

On 02/07/2018 12:50, Ondřej Surý wrote:
> 
>> On 2 Jul 2018, at 12:45, Petr Špaček  wrote:
>> 
>> On 2.7.2018 12:28, Klaus Darilion wrote:
>>> Am 18.06.2018 um 11:16 schrieb Peter Hudec:
 if you want dns server agnostic solution, look at 
 http://dotat.at/prog/nsnotifyd/
 
 combine it with the 
 https://jpmens.net/2013/02/13/automatic-provisioning-of-slave-dns-s
erver

 
s/.
 
 Add a little bit integration coding and that's it. :)
>>> 
>>> Und some more coding to delete zones. Thats the problem of
>>> automatic provision based on NOTIFYs. Probably you could add a
>>> "superdelete" feature which removes the zone on the slave if
>>> the master responds on SOA checks/XFR with a certain response.
>>> 
>>> Catalog zones would be a cleaner solution. And btw: AFAIK
>>> Yadiffa also has some similar thing like catalog zones using a
>>> special DNS class and XFR.
>> 
>> All these are mere hacks, cleanest solution would be YANG model
>> for zone management.
> 
> s/YANG/a provisioning/
> 
> YANG is just an implementation of provisioning interface.  And I
> believe there are much better solutions to pick from.
> 
> Ondrej -- Ondřej Surý ond...@sury.org
> 


- -- 
*Peter Hudec*
Infraštruktúrny architekt
phu...@cnc.sk 

*CNC, a.s.*
Borská 6, 841 04 Bratislava
Recepcia: +421 2  35 000 100

Mobil:+421 905 997 203
*www.cnc.sk* 

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEqSUbhuEwhryifNeVQnvVWOJ35BAFAls6BS4ACgkQQnvVWOJ3
5BBDzw/9FRcLALJTPi3l82Mox/aqwUO41nW4c6nmsmder6ALOf0wYJslNG29JPqJ
It8Acrq9u7RNbhp2i/HR6/M8Dr+pVZsz4q+osT/PDmdQKa2oS6oeI3XQmcGIOkN1
2fMnJzpVeTZQ+UR01iTrCv5faCvcS6rX2Zs1BrqfQr5K2r0xILqLamFvtZJvwrLY
oojl8xF5FuIaXPt+E/ScGHGQyYKtte8vuEG61vz9JqtwsKJ35Pr/+6QBy5/wU3U9
k/4UGjVlSuNjLDaoSXbCPGZ+NwOxaJwa0tWhRH8gD73HJwh0SIGukooosSi2bLt8
pdoRa34i39w2VdihFWo6dT4+WttbWCW1foRpez+Rk/HqPa+5PhgG52DkFLPtGxeL
2H1Mv15uoLkY8W5VeXpLr/p6xs5prs5b+59xeLI/+SS8hsEPmI/MNg3ZoEF9Q6SQ
ibN4d/wKrKDfaEjZq4qKWxPj3Ufqf9ygkjqNbZh2dQke+L5sAETBLPbyKE7mZlBh
+cm0RXq9Ol/zDPQONw6YWO+wG1Lj9MnNwjjH4zRKQtH7x6+4M+uLyMJSTrFWo7L9
bcsQYmQlUktlxOrI4JlzaFVN+4m34Ac1/nve+PlETXbLp5vAfwqYOXuror8xMZvL
kF0908qYX0Uu++9nwPP0G+l8m9hEY3OJDB3r9EUuy/NCsWaSxCo=
=B27B
-END PGP SIGNATURE-
-- 
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users

Re: [knot-dns-users] logging inbound NOTIFY?

[Ondřej Surý]

> On 2 Jul 2018, at 12:45, Petr Špaček  wrote:
> 
> On 2.7.2018 12:28, Klaus Darilion wrote:
>> Am 18.06.2018 um 11:16 schrieb Peter Hudec:
>>> if you want dns server agnostic solution, look at
>>> http://dotat.at/prog/nsnotifyd/
>>> 
>>> combine it with the
>>> https://jpmens.net/2013/02/13/automatic-provisioning-of-slave-dns-server
>>> s/.
>>> 
>>> Add a little bit integration coding and that's it. :)
>> 
>> Und some more coding to delete zones. Thats the problem of automatic
>> provision based on NOTIFYs. Probably you could add a "superdelete"
>> feature which removes the zone on the slave if the master responds on
>> SOA checks/XFR with a certain response.
>> 
>> Catalog zones would be a cleaner solution. And btw: AFAIK Yadiffa also
>> has some similar thing like catalog zones using a special DNS class and XFR.
> 
> All these are mere hacks, cleanest solution would be YANG model for zone
> management.

s/YANG/a provisioning/

YANG is just an implementation of provisioning interface.  And I believe there
are much better solutions to pick from.

Ondrej
--
Ondřej Surý
ond...@sury.org
-- 
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users

Re: [knot-dns-users] logging inbound NOTIFY?

[Daniel Salzman]

On 07/02/2018 12:45 PM, Petr Špaček wrote:
> On 2.7.2018 12:28, Klaus Darilion wrote:
>> Am 18.06.2018 um 11:16 schrieb Peter Hudec:
>>> if you want dns server agnostic solution, look at
>>> http://dotat.at/prog/nsnotifyd/
>>>
>>> combine it with the
>>> https://jpmens.net/2013/02/13/automatic-provisioning-of-slave-dns-server
>>> s/.
>>>
>>> Add a little bit integration coding and that's it. :)
>>
>> Und some more coding to delete zones. Thats the problem of automatic
>> provision based on NOTIFYs. Probably you could add a "superdelete"
>> feature which removes the zone on the slave if the master responds on
>> SOA checks/XFR with a certain response.
>>
>> Catalog zones would be a cleaner solution. And btw: AFAIK Yadiffa also
>> has some similar thing like catalog zones using a special DNS class and XFR.
> 
> All these are mere hacks, cleanest solution would be YANG model for zone
> management.
> 

However, Knot DNS is not a big fan of YANG ;-)
-- 
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users

Re: [knot-dns-users] logging inbound NOTIFY?

[Petr Špaček]

On 2.7.2018 12:28, Klaus Darilion wrote:
> Am 18.06.2018 um 11:16 schrieb Peter Hudec:
>> if you want dns server agnostic solution, look at
>> http://dotat.at/prog/nsnotifyd/
>>
>> combine it with the
>> https://jpmens.net/2013/02/13/automatic-provisioning-of-slave-dns-server
>> s/.
>>
>> Add a little bit integration coding and that's it. :)
> 
> Und some more coding to delete zones. Thats the problem of automatic
> provision based on NOTIFYs. Probably you could add a "superdelete"
> feature which removes the zone on the slave if the master responds on
> SOA checks/XFR with a certain response.
> 
> Catalog zones would be a cleaner solution. And btw: AFAIK Yadiffa also
> has some similar thing like catalog zones using a special DNS class and XFR.

All these are mere hacks, cleanest solution would be YANG model for zone
management.

-- 
Petr Špaček  @  CZ.NIC
-- 
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users

Re: [knot-dns-users] logging inbound NOTIFY?

[Klaus Darilion]

Am 18.06.2018 um 11:16 schrieb Peter Hudec:
> if you want dns server agnostic solution, look at
> http://dotat.at/prog/nsnotifyd/
> 
> combine it with the
> https://jpmens.net/2013/02/13/automatic-provisioning-of-slave-dns-server
> s/.
> 
> Add a little bit integration coding and that's it. :)

Und some more coding to delete zones. Thats the problem of automatic
provision based on NOTIFYs. Probably you could add a "superdelete"
feature which removes the zone on the slave if the master responds on
SOA checks/XFR with a certain response.

Catalog zones would be a cleaner solution. And btw: AFAIK Yadiffa also
has some similar thing like catalog zones using a special DNS class and XFR.

regards
Klaus
-- 
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users

Re: [knot-dns-users] logging inbound NOTIFY?

[Peter Hudec]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

if you want dns server agnostic solution, look at
http://dotat.at/prog/nsnotifyd/

combine it with the
https://jpmens.net/2013/02/13/automatic-provisioning-of-slave-dns-server
s/.

Add a little bit integration coding and that's it. :)

Peter

On 17/06/2018 00:00, Mark Jeftovic wrote:
> As far as I know, catalog zones are implemented by Bind only and
> still it's in a draft state. We haven't decided yet how and when to
> implement this or alternative functionality.


- -- 
*Peter Hudec*
Infraštruktúrny architekt
phu...@cnc.sk 

*CNC, a.s.*
Borská 6, 841 04 Bratislava
Recepcia: +421 2  35 000 100

Mobil:+421 905 997 203
*www.cnc.sk* 

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEqSUbhuEwhryifNeVQnvVWOJ35BAFAlsneFEACgkQQnvVWOJ3
5BA52A//e5FxMdWp65sPKn2erVyOAwFlyKOGdxRihi5ML/m75lJmIihNxWxOlsC8
0G3ieGkE2/CIoJnpvUiZSGx3oqElNqADJH9UNzA/BIe2LsPa8dbtyRWlL8SgmyZP
Sqin3e1XAY/jPZBar/3PHnPoaYYi1ScnwVKoRI444r2hJUKRV+91hvMgBhi/O8uZ
9JyW/VzwIaujVkAn4ZPvq/0qW34I1SXSRkP/WyVYZVRqCWfHZxCtNZ22VPuxwuoT
oBuTl2uzBU4kiuoLbPnP9aiQbpDu2dpd1/vuVwnUH5Y5xW/q+hoo83kNMZF4XMhO
V89LWvbHeoWzfNZBic+Cv7GQcKhm1amFMvmatBQe02u/R3eBixSAhzfviiaRu+kc
Vk2iD9jwLiw479H+Rs+5YYE5OWA1WC1cRj54BHRPzFXDM6U6ju3gBwnN6l7Hx1h1
dSbSi7R/mvBflEwgawcuxqxoNMNvw/KDk0+qlcX94aVOuy9tYmDq9GoxMy15Wob/
L9/wF4vqpSBJUeyS+EYNrZQWKqMBw+2mA8sIzkO2VTY34WNDMmz0LpnHfA0IvxTi
nJkdmR+oznbJJhh/3r1cP3XUQvbCQTR8/v2aCBDszOW6HQdW/1PdLJ5hKqaQFRQU
Tjy+sbviAa8N5xd8LHfebLb/1sVyn8FovX9mNYwlhqVQZ8j03Us=
=QbiE
-END PGP SIGNATURE-
-- 
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users

Re: [knot-dns-users] logging inbound NOTIFY?

[Mark Jeftovic]

PowerDNS does the dynamic adding of slave zones via "supermasters"


https://doc.powerdns.com/authoritative/modes-of-operation.html#supermaster-automatic-provisioning-of-slaves

- mark

On 2018-06-15 2:53 AM, Daniel Salzman wrote:
> Hi Antti,
>
> As far as I know, catalog zones are implemented by Bind only and still it's
> in a draft state. We haven't decided yet how and when to implement this or
> alternative functionality.
>
> Daniel
>
> On 06/15/2018 05:34 AM, Antti Ristimäki wrote:
>> Hi list,
>>
>> This was a very good question, as for example we have sometimes
>> investigated the possibility to dynamically configure zones by incoming
>> notify messages. This leads me to a question, whether or not Knot is
>> going to support catalog zones? Or is the whole catalog zone concept
>> only Bind specific feature?
>>
>> Antti
>>
>>
>> On 13.06.2018 00:43, Mark Jeftovic wrote:
>>> Hi, just getting up to speedon knotDNS and trying to get dynamically
>>> added secondaries working via bootstrapping.
>>>
>>> My understanding is when the server receives a notify from an authorized
>>> master, if it is not already in the zone like it will add it and AXFR
>>> it, right?
>>>
>>> In my conf:
>>>
>>> acl:
>>>   - id: "acl_master"
>>>     address: "64.68.198.83"
>>>     address: "64.68.198.91"
>>>     action: "notify"
>>>
>>> remote:
>>>   - id: "master"
>>>     address: "64.68.198.83@53"
>>>     address: "64.68.198.91@53"
>>>
>>> But whenever I send NOTIFY from either of those masters, nothing happens
>>> on the knotDNS side. I have my logging as:
>>>
>>> log:
>>>   - target: "syslog"
>>>     any: "debug"
>>>
>>>
>>> Thx
>>>
>>> - mark
>>>
>>>

-- 
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users

Re: [knot-dns-users] logging inbound NOTIFY?

[Daniel Salzman]

Hi Antti,

As far as I know, catalog zones are implemented by Bind only and still it's
in a draft state. We haven't decided yet how and when to implement this or
alternative functionality.

Daniel

On 06/15/2018 05:34 AM, Antti Ristimäki wrote:
> Hi list,
> 
> This was a very good question, as for example we have sometimes
> investigated the possibility to dynamically configure zones by incoming
> notify messages. This leads me to a question, whether or not Knot is
> going to support catalog zones? Or is the whole catalog zone concept
> only Bind specific feature?
> 
> Antti
> 
> 
> On 13.06.2018 00:43, Mark Jeftovic wrote:
>> Hi, just getting up to speedon knotDNS and trying to get dynamically
>> added secondaries working via bootstrapping.
>>
>> My understanding is when the server receives a notify from an authorized
>> master, if it is not already in the zone like it will add it and AXFR
>> it, right?
>>
>> In my conf:
>>
>> acl:
>>   - id: "acl_master"
>>     address: "64.68.198.83"
>>     address: "64.68.198.91"
>>     action: "notify"
>>
>> remote:
>>   - id: "master"
>>     address: "64.68.198.83@53"
>>     address: "64.68.198.91@53"
>>
>> But whenever I send NOTIFY from either of those masters, nothing happens
>> on the knotDNS side. I have my logging as:
>>
>> log:
>>   - target: "syslog"
>>     any: "debug"
>>
>>
>> Thx
>>
>> - mark
>>
>>
> 
-- 
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users

Re: [knot-dns-users] logging inbound NOTIFY?

[Antti Ristimäki]

Hi list,

This was a very good question, as for example we have sometimes
investigated the possibility to dynamically configure zones by incoming
notify messages. This leads me to a question, whether or not Knot is
going to support catalog zones? Or is the whole catalog zone concept
only Bind specific feature?

Antti


On 13.06.2018 00:43, Mark Jeftovic wrote:
> Hi, just getting up to speedon knotDNS and trying to get dynamically
> added secondaries working via bootstrapping.
>
> My understanding is when the server receives a notify from an authorized
> master, if it is not already in the zone like it will add it and AXFR
> it, right?
>
> In my conf:
>
> acl:
>   - id: "acl_master"
>     address: "64.68.198.83"
>     address: "64.68.198.91"
>     action: "notify"
>
> remote:
>   - id: "master"
>     address: "64.68.198.83@53"
>     address: "64.68.198.91@53"
>
> But whenever I send NOTIFY from either of those masters, nothing happens
> on the knotDNS side. I have my logging as:
>
> log:
>   - target: "syslog"
>     any: "debug"
>
>
> Thx
>
> - mark
>
>

-- 
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users

Re: [knot-dns-users] logging inbound NOTIFY?

[Daniel Salzman]

On 06/14/2018 05:06 PM, Anand Buddhdev wrote:
> On 14/06/2018 16:58, Mark Jeftovic wrote:
> 
> Hi Mark,
> 
>> I misread the docs, sorry and thanks for the reply. I thought it worked
>> similar to the PowerDNS supermaster concept.
> 
> Yes, I had assumed that you had mixed it up with the PowerDNS
> supermaster idea.
> 
>> Is there any way to dynamically add zones remotely? Similar to BIND's
>> rndc across the network?
> 
> Yes, you can. The "knotc" control utility can change any part of Knot's
> configuration while it is running, including adding/removing zones. See
> the man page for more details, and of course, read the excellent Knot
> documentation, where things are explained in detail.
> 
> My understand is that if you want dynamic reconfiguration, you have to
> use a "conf-db" rather than a plain text config file.
> 

You are right, Anand :-)

> Regards,
> Anand
> 
-- 
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users

Re: [knot-dns-users] logging inbound NOTIFY?

[Mark Jeftovic]

On 2018-06-13 2:23 AM, Anand Buddhdev wrote:
> On 12/06/2018 23:43, Mark Jeftovic wrote:
>
> Hi Mark,
>
>> My understanding is when the server receives a notify from an authorized
>> master, if it is not already in the zone like it will add it and AXFR
>> it, right?
> No, it doesn't work that way. You need to add the zone to the config of
> the slave and call "knotc reload" on it.
>
>
I misread the docs, sorry and thanks for the reply. I thought it worked
similar to the PowerDNS supermaster concept.

Is there any way to dynamically add zones remotely? Similar to BIND's
rndc across the network?

- mark

-- 
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users